Glossary
Luxembourg legal AI, in plain language.
Definitions of the terms that come up most often when evaluating AI for legal practice in Luxembourg — GDPR, the EU AI Act, anonymisation, jurisprudence, professional secrecy, and more.
- Anonymisation
Removing identifying information from data so it can no longer be linked to a specific person.
Under the GDPR, anonymisation means processing personal data in a way that the data subject is no longer identifiable, directly or indirectly, by any reasonably likely means. Once data is genuinely anonymised it falls outside the scope of the GDPR. Pseudonymisation — replacing identifiers with pseudonyms while still allowing re-identification with additional information — is distinct and remains in scope.
See also: Pseudonymisation, GDPR, Personal data
- Cabinet
Standard term for a law firm in Luxembourg and other civil-law jurisdictions.
In Luxembourg legal practice, a cabinet is a law firm — typically a partnership of avocats à la Cour. Equivalent of "firm" in English-speaking jurisdictions, though with civil-law structural and regulatory differences (e.g. supervision by the Ordre des avocats du Barreau de Luxembourg).
- CNPD
Luxembourg's national data-protection supervisory authority.
The Commission nationale pour la protection des données (CNPD) is Luxembourg's GDPR supervisory authority, established under the Law of 1 August 2018. It investigates complaints, issues guidance, and may impose administrative fines under Article 83 GDPR.
See also: GDPR
- Cour d'Appel
Luxembourg's intermediate appellate court.
The Cour d'Appel hears appeals from the Tribunal d'arrondissement and decides points of fact and law. Its decisions are themselves subject to review by the Cour de Cassation on points of law only.
See also: Cour de Cassation, Tribunal d'arrondissement
- Cour de Cassation
Luxembourg's highest court of last resort for civil and criminal matters.
The Cour de Cassation reviews lower-court decisions on points of law only — it does not re-examine facts. Cassation jurisprudence is binding precedent for the lower courts in matters of legal interpretation.
See also: Cour d'Appel
- EU AI Act
Regulation (EU) 2024/1689 — the European Union's horizontal regulation of artificial intelligence systems.
The EU AI Act entered into force in August 2024 and applies in stages through 2025–2027. It classifies AI systems by risk (prohibited, high-risk, limited-risk, minimal-risk), imposes transparency and human-oversight obligations, and regulates general-purpose AI models. Legal-AI tooling that supports access to justice or judicial decision-making may fall under the high-risk category in Annex III.
See also: GDPR
- GDPR
Regulation (EU) 2016/679 — the EU's general data protection regulation.
The GDPR is the EU's horizontal data-protection law, in force since 25 May 2018. It governs the processing of personal data of individuals in the EU. Article 6 sets out the lawful bases for processing; Articles 15–22 set out data-subject rights; Articles 44–49 govern international transfers. Maximum administrative fines reach 4% of global annual turnover.
See also: CNPD, Personal data, Anonymisation, EU AI Act
- Generative AI
AI systems that produce new content — text, images, code — rather than only classifying or predicting.
Generative AI refers to models trained to produce new content in response to prompts. In a legal context, the most relevant generative-AI applications are document drafting, summarisation, translation, and Q&A. Generative AI outputs are probabilistic and may contain factual errors (so-called "hallucinations"), which is why human review remains mandatory in cabinet workflows.
See also: EU AI Act
- Jurisprudence
The body of court decisions that interpret and apply the law.
In civil-law jurisdictions like Luxembourg, jurisprudence is not formally binding precedent, but it is highly persuasive — particularly the consistent jurisprudence of the higher courts. Cabinet research routinely cites Cour d'Appel and Cour de Cassation jurisprudence to support arguments before the Tribunal d'arrondissement.
See also: Tribunal d'arrondissement, Cour d'Appel, Cour de Cassation
- Personal data
Any information that relates to an identified or identifiable natural person.
Article 4(1) GDPR defines personal data as any information relating to an identified or identifiable natural person — directly or indirectly, by reference to an identifier such as a name, an identification number, location data, or one or more factors specific to the person's identity. The bar for "identifiable" is low and includes information that becomes identifying when combined with other data.
See also: GDPR, Anonymisation, Pseudonymisation
- Professional secrecy
The legal duty of avocats and other regulated professionals to keep client information confidential.
Under the Loi du 10 août 1991 sur la profession d'avocat, Luxembourg avocats are bound by professional secrecy in respect of all information learned in the course of their professional activity. This duty is independent of and additional to the GDPR. Violations can attract criminal penalties under Article 458 of the Luxembourg Criminal Code.
- Pseudonymisation
Replacing identifying fields with pseudonyms while keeping a separate key that allows re-identification.
Pseudonymisation is recognised under Article 4(5) GDPR as a data-protection measure but does not remove personal data from the scope of the GDPR. Tokenising client names to "[Individual 1]" while keeping a re-identification map is pseudonymisation, not anonymisation, unless the map is destroyed.
See also: Anonymisation, GDPR
- Schrems II
The 2020 CJEU decision that invalidated the EU-US Privacy Shield and tightened the rules for international data transfers.
Schrems II (Case C-311/18) requires EU controllers transferring personal data to third countries to assess whether the destination country's law provides essentially equivalent protection to the EU's. In practice this drives the use of Standard Contractual Clauses, supplementary measures, and EU-only deployments for high-sensitivity data.
See also: GDPR
- Subprocessor
A third party engaged by a data processor to carry out specific processing on behalf of a controller.
Under Article 28(2) and 28(4) GDPR, a processor must obtain prior written authorisation before engaging a subprocessor and must impose the same data-protection obligations on it. For a SaaS legal AI tool, common subprocessors include the cloud-hosting provider, the language-model provider, and the email and support tooling.
See also: GDPR
- Tribunal d'arrondissement
Luxembourg's court of first instance for civil, commercial and most criminal matters.
Luxembourg has two Tribunaux d'arrondissement — Luxembourg and Diekirch. They hear most civil and commercial matters at first instance. Decisions are appealable to the Cour d'Appel.
See also: Cour d'Appel
- Vector search
Retrieving documents by semantic similarity to a query, using vector embeddings rather than keyword matching.
Vector search converts both documents and queries into high-dimensional embeddings and ranks results by cosine or dot-product similarity. For legal research it complements keyword search by matching on meaning — useful when the exact terminology in a query differs from the wording in the corpus, which is common across French, German, Luxembourgish and English legal text.
- Zero data retention
A contractual commitment by a service provider not to retain customer data beyond what is needed to complete the immediate request.
Zero-data-retention agreements are increasingly standard in enterprise AI contracts. They commit the provider to flush request data after processing and not use it for model training. They complement, but do not replace, anonymisation: a tool that sends identifiable client data to a zero-retention endpoint is still sending identifiable client data.
See also: Anonymisation